How to configure HTTP READ-Protected FoldersBy Brian Atkinson
It is often said that it makes good sense to store your databases outside of the web accessible directories. But in many hosting situations this is not always possible. What if there is a way to have a non-web-accessible directory located inside the web-accessible directory?
Setting up a non-web accessible database from within a web-accessible
directory is actually quite simple. Suppose that we have a Default Web
Site and several folders underneath it. One of the folders is named
Site1 and contains a folder named
data folder there
is a database named
database.mdb, containing the physical path:
If you were to visit the specific URL, like:
depending on how your server is set up, you would probably be prompted to save
the database (or Access might have just opened the database for you). The point is
you had HTTP access to the database. This is bad, because that means anyone who can guess
the path to your Access database can now retrieve it!
Also, as discussed in Security Alert - Using includes Improperly from non-Debugged ASP Pages can allow Visitors to View your source code, placing include files without a .ASP extension in directories with read permissions constitutes a security risk.
Now that we've identified why placing sensitive files in public Web site directories is a problem, we will investigate how to prevent this access!
Start by opening the Internet Service Manager and navigating to the
Obtain the properties for this directory and set the IIS permissions as shown in the image below.
Removing the READ Access Permission is the key to preventing web access to this folder. Removing the READ permission tells IIS that HTTP READ requests will not be allowed to this folder. Since nothing should be located inside this folder except a database, it is also safe to change the Permissions settings to NONE also. Keep in mind that these settings have nothing to do with NTFS permissions, which we will look at a bit later.
Save the console settings and exit the MMC. Now let's test these settings.
If you try revisiting your Access database through a URL, like we did earlier,
You will receive the
HTTP Error 403.2, stating that Read Access is Forbidden.
The next question is how can an Active Server Page access the database if
there is no READ access? All file access (including ASP activity) must be
performed through the context of an NT user. For convenience sake, let's
assume that it is the
IUSR_4GUYS account. Just because
access the database via the HTTP protocol, does not mean that
cannot access the database via an ASP script on the local file system. To
explore this further, we must look at the file system.
In Windows Explorer, navigate to the following folder:
Obtain the Security Properties for this folder and notice the NTFS
permissions. Without going into excessive detail, here is where you will
want to ensure that
IUSR_4GUYS has the appropriate permissions to access
the database. A database that is queried against would need READ access
and updates will require READ and WRITE. READ and WRITE is the maximum
permission needed in most cases. If your ASP code allows users to delete
fields in the database, this is still simply a file-level WRITE operation
and should not be confused with a file-level DELETE. Replace the
permissions on all files and subdirectories for the
data folder and exit.
That is all that is required to secure a database folder from URL-guessing
eyes. This method can also be used to protect text files that are accessed
FileSystemObject or files that you don't want the
to directly access over HTTP.
Good Luck and Happy Programming.......